Blog

Earlier this week the WP GDPR Compliance plugin was briefly removed from the WordPress.org repository after the discovery of critical security issues impacting its users. In yesterday’s post, we provided some details regarding these issues and illustrated their severity. In the hours since that post was published, our team has continued tracking the adversaries seeking to exploit this new attack vector. Today, we’re sharing the findings of this extended research. This post is technical in nature and will be helpful for network defenders, developers and security researchers.

If you run a WordPress site and use this plugin, you should update to the newest version which fixes the vulnerability, or remove the old version of the plugin. The newest version of WP GDPR Compliance is version 1.4.3.

Two Notable Exploits

The data gathered by our malware scans, firewall activity, and site cleaning reports has revealed two primary types of exploit taking place. The first case, identified early in our research and mentioned in yesterday’s post, involves modifying user registration settings. The second case, caught and logged by the new firewall rule for this vulnerability, injects malicious scheduled actions to be executed by WP-Cron. Examples we have seen of both attack types have made use of backdoor scripts named wp-cache.php, though the contents of these backdoor files differ between the two methods.

Administrator Access via Modified Settings

The most common attempted attacks against this flaw at the time of this writing directly exploit the ability to modify arbitrary settings on affected sites. By enabling new user registration and changing the default role of new users to Administrator, attackers are able to simply create a new privileged user, then log in and take any actions on the newly compromised site.

Interestingly, automated attempts to perform this activity are also reversing the settings modifications being made. The following screenshot contains relevant access log entries for one such attack.

In this log, we first see a GET request to the site’s homepage. This first request is necessary to produce the “ajaxSecurity” nonce required by the plugin to perform AJAX actions. Next, two POST requests are made to /wp-admin/admin-ajax.php. Data stored in POST bodies is not seen in access logs, however in the course of our research we have been able to acquire samples of this data. The first two AJAX requests contain the following data:

In the first action, we see the attacker enabling the users_can_register option, which adds functionality to a site’s wp-login.php page allowing users to create new accounts. Next, the default_role option is set to ‘administrator’, meaning any new user registered to the site is automatically given full administrative access.

The next items in the access log show the attacker making a POST request to /wp-login.php?action=register, and the subsequent redirect to the “Registration complete. Please check your email” dialog.

Lastly, two more AJAX requests are made, containing the following instructions:

Here we can see the attacker actually reversing the configuration changes that allowed them to create an administrator account, first by disabling user registration then setting the default user role to “subscriber”. This serves to help prevent other attackers from creating their own administrator accounts, as well as reducing the likelihood that a site’s administrator will notice a problem. It closes the door behind the attacker.

Several hours after the new user is created, the attacker logs in to their new administrator account and can begin installing further backdoors. In our sample cases, we’ve seen attackers uploading a robust PHP webshell in a file named wp-cache.php. The image below is a screenshot of the shell user interface.

With a file manager, terminal emulator, and PHP eval features, a script like this on a site can allow an attacker to deploy further payloads at will.

Backdoor Installation via Injected Cron

The second type of exploit we’re seeing is less straightforward, and more difficult to identify at a glance. By injecting malicious actions into a site’s WP-Cron schedule, these attackers are able to install a persistent backdoor that can replace itself if removed. While a variety of malicious actions can be stored and executed via WP-Cron, the cases we have seen so far rely on the presence of another popular WordPress plugin, WooCommerce.

The following line contains a portion of an AJAX request body blocked by the Wordfence firewall for attempting to insert a malicious WP-Cron task:

This cron task attempts to use WooCommerce’s built-in woocommerce_plugin_background_installer action to install the 2MB Autocode plugin, which allows the injection of arbitrary PHP code into all posts on a site. The code to be injected is stored by 2MB Autocode as an option in the database, so the next step is to modify that setting using the same vulnerability:

The [malicious_php] placeholder in the above example contains a PHP backdoor script which performs the following actions in sequence:

Receive encoded input stored in the attacker’s request as an “HTTP_X_AUTH” header, which declares the locations used in the following steps.

Make a request to http://pornmam[.]com/wp.php

Decode the response and save the resulting PHP backdoor as wp-cache.php

Include the core file /wp-admin/includes/file.php

Deactivate and delete the 2MB Autocode plugin

Clear the WP-Cron event associated with the attack

Delete the 2mb_autocode_topstring option containing this code.

While the backdoor script seen in these cases shares the name wp-cache.php with other methods, the contents are much different. Instead of a self-contained web shell, this script contains some decoding functions and some execution syntax, but none of the executed payload is stored in the file. Instead, the payload to be decoded and executed is stored as a POST variable or in a cookie.

Without any captured requests to this script, we can’t know exactly what the intended behavior is. However, given the nature of the script and its eventual call to eval(), it’s to be expected that any arbitrary code can be executed by way of this backdoor.

No Mobilization Yet

In most infections, there will be one or more active methods in place to bring value of some form to the attacker. Whether an infected site is serving spam emails, hosting a phishing scam, or any other direct or indirect monetization, there’s often a clear goal identified as part of the triage process. However, despite the rapid occurrence of these identified cases, so far our research has only turned up backdoor scripts on sites impacted by this issue. No “end-stage” payloads intended to directly benefit an attacker have yet been associated with these attacks.

This behavior can mean a number of different things. It’s possible that these attackers are stockpiling infected hosts to be packaged and sold wholesale to another actor who has their own intentions. There’s also the chance that these attackers do have their own goals in mind, but haven’t launched that phase of the attack yet. In either case, sites impacted by these attacks should immediately work to identify and remove any backdoors present.

Indicators Of Compromise

The following section contains a series of IOCs (Indicators of Compromise) that can be used to assist in identifying and triaging cases similar to the ones in this report. Be advised that any common methods may be changed by the malicious actor at any time, especially as more attackers begin exploiting this vulnerability.

Most Prevalent Attacking IP Addresses

Admin Creation Method:

109.234.39.250

109.234.37.214

Cron Injection Method

46.39.65.176

195.123.213.91

Outbound Domains Accessed

pornmam.com

Malware Hashes

Admin Creation Method Backdoor

MD5: b6eba59622630b18235ba2d0ce4fcb65

SHA1: 577293e035cce3083f2fc68f684e014bf100faf3

Cron Injection Method Backdoor

MD5: c62180f0d626d92e29e83778605dd8be

SHA1: 83d9688605a948943b05df5c548bea6e1a7fe8da

Database Indicators

The presence of unauthorized accounts in your site’s users table, including but not limited to the following examples:

t2trollherten

t3trollherten

An entry in your site’s options table with an option_name starting with 2mb_autocode (If not used intentionally)

The option default_role set to anything other than “subscriber” unless directly intentional.

The option users_can_register enabled unintentionally.

Installed Plugins

2MB Autocode (If not used intentionally)

Conclusion

It is our hope that the details revealed by this research can be used to assist others in the security sphere to track and prevent these exploits. However, the attacks first seen following an impactful security disclosure can be considerably different than those seen in the weeks and months after. Given the scope of the vulnerability in question, it’s likely that more unique and sophisticated attack methods will be seen in the wild before long.

As always, we stress the importance of performing regular plugin updates to prevent these attacks from succeeding in the first place. The Wordfence plugin notifies administrators of outdated plugins automatically in order to help facilitate a quick response to potential vulnerabilities. In addition, the Wordfence Threat Intelligence team has released firewall rules and malware signatures to our premium customers in real-time to protect against this exploit and detect the indicators of compromise associated with the attack.

WordPress, Joomla, Drupal and many other popular website CMSs were written in a programming language called PHP. PHP version 5 is about to reach end-of-life and will stop receiving security updates in two months. Many WordPress and other PHP websites remain on version 5.6 or older. Once support for PHP 5 ends in two months, these sites are in a precarious position and will become exploitable as new PHP 5 vulnerabilities emerge without security updates.

This post is in a FAQ format and describes why PHP 5 is reaching end-of-life, what the timeline is and what to do about it. The Wordfence team is working to create awareness of this issue in the WordPress and broader PHP community. You can help by sharing this post with your colleagues that manage PHP websites or use WordPress.

What is End-Of-Life or ‘EOL’ in Software?

When a software product reaches EOL, it is no longer supported by software developers. That means that, even if someone finds a security hole in the software, the developers will not fix it.

If a development team is productive, they will release many versions of the software they work on over time. It becomes impractical to support every version of the code ever released. So a compromise needs to be made.

This compromise is that the development team will only support their software for a certain amount of time. After that time has elapsed, the development team suggests that the user community upgrade to a newer version of the same software, which usually does things better than the old versions and is fully supported.

Is PHP Version 5 going to be EOL soon?

Yes. PHP version 5 will be declared End-Of-Life on January 1st, 2019. That is, in approximately two months at the time of writing.

The PHP development team’s policy with regards to end-of-life is as follows: each release of PHP is fully supported for two years from the date of release. Then it is supported for an additional year for critical security issues only. Once three years has elapsed from the date of release, the version of PHP is no longer supported.

PHP 7.0, the very first PHP 7 release, was released on 3 December, 2015, almost three years ago. PHP version 5 is rapidly approaching end-of-life and will no longer be supported starting on 1 January, 2019.

The final branch of PHP version 5 that is still supported is PHP 5.6. Because this is the final PHP 5 branch, the PHP team chose to extend the security fix period from the usual one years, to two years. That extended security support will end on 1 January 2019.

Why Should I Upgrade to PHP 7?

As mentioned above, PHP 5 will no longer be supported with security fixes, starting on 1 January 2019. That means that even if a vulnerability is discovered, it won’t be fixed, leaving your website vulnerable.

PHP 7 has many improvements over PHP version 5. These include performance improvements. PHP 5 has many known bugs that relate to performance, memory usage and more. PHP 7 is actively supported and developers are therefore able to implement those improvements and make your website run faster, be more stable and use your expensive resources more efficiently.

As an added benefit, PHP 7 also allows the use of more modern programming structures, which is a nice benefit for software developers.

How can I find out my PHP version?

If you are using WordPress and running the Wordfence security plugin, simply go to “Tools”, then click on the “Diagnostics” tab at the top right. Scroll down to the “PHP Environment” section and you will be able to see your PHP version on the right side of the page.

If you have FTP access to your website, you can create a file with a name that is hard to guess. Then add the following two lines:

<?php
phpinfo();

Save the file in your web root directory and then visit the file in your web browser. Your PHP version will be displayed at the top of the screen. Don’t forget to delete your temporary file once you’re done.

Which specific version of PHP 7 should I upgrade to?

Ideally, you should upgrade to PHP 7.2 which is the newest version of PHP. This version will be fully supported for another year and will receive security updates for a year after that.

If you are unable to upgrade to 7.2, then at a minimum you should upgrade to PHP 7.1. Full support for PHP 7.1 will end in 1 month. However, you will continue to receive security updates for another year after that.

Do not upgrade to PHP 7.0. This version will also become end-of-life in one month.

Does PHP 5 have any vulnerabilities?

Security vulnerabilities are continuously reported in PHP. Some of these are serious. Viewing this page on CVEDetails.com will give you an idea of the volume and severity of PHP vulnerabilities that have recently been reported.

Many of the vulnerabilities reported in PHP were discovered this year. Many more will be discovered in PHP version 5 next year, after security support for all versions of PHP 5 have ended. That is why it is critically important that you upgrade to a version of PHP 7 that is supported and is receiving security updates.

Will anything break if I update to PHP 7.2?

You may discover incompatibilities that need to be fixed by a developer if you update to PHP 7.2. PHP has undergone some changes since version 5 which has improved the language and made it more secure, but may result in warnings or errors for code that has not been made compatible with PHP 7.

However, it is very important that you make sure that your themes and plugins are also compatible with PHP 7.2. If you are using an unmaintained theme or plugin, you may encounter warnings or errors due to incompatibilities. For this reason, we recommend you test your website on a hosting account or server that is running PHP 7.2. If you encounter any problems, contact the developer of the theme or plugin and ask them for an urgent fix. Remind them that PHP 5.6 reaches end-of-life in just two months and that you must update to PHP 7.2 by then.

What if my hosting company does not support PHP 7?

Your hosting account should include some kind of control panel or options and settings page. If you’re not seeing an option to upgrade to PHP 7, you should contact your hosting company’s support team to see what your options are. If none are available, we recommend you transition to new hosting before the end of the year.

What if my developer does not support PHP 7?

PHP 7.0 was released two years and 10 months ago. If your developer’s plugin, theme, or other PHP product does not support PHP 7 at this point, it is quite likely that the project is unmaintained. If the project was being maintained, then they would have had users who are using PHP 7 report problems within the last 2 years and 10 months, which they would have fixed.

Using unmaintained software is a bad idea because it means that security vulnerabilities are not being fixed. So if you do encounter incompatibilities when upgrading to PHP 7.2, this may be a red flag and may indicate you should move on to using an alternative product that is being actively maintained.

What is the easiest way to upgrade to PHP 7.2?

Many hosting providers offer a one click PHP version change in CPanel. This allows you to switch to PHP 7 and check your site for problems. If something doesn’t work, you can switch back and create a plan for addressing the issues you found.

If you can’t find where to update your PHP version, your hosting provider can advise you how to update PHP in their environment. It may mean them making a change on their end or even moving your site to another server.

Remind me again why I need to update to PHP 7.2?

The really good news is that you are probably going to see a nice performance improvement when you update your site. Sure, you may need to deal with a few, hopefully minor incompatibilities. But once you have updated to PHP 7.2, you can rest assured that you will continue to receive security updates until November 30, 2020.

If you remain on PHP 5.6, you may find yourself dealing with a hacked site some time next year when a vulnerability is released for PHP 5.6 and no fix is released by the PHP team because PHP 5.6 is end-of-life.

How can I help?

This deadline is coming up fast. All versions of PHP 5 will stop receiving security updates in 2 months. There are a huge number of websites that are still on PHP 5. As soon as security updates end, attackers will be highly motivated to find vulnerabilities that they can exploit, because those vulnerabilities will not be fixed and will be exploitable for a long time.

To help transition the global web community to PHP 7, please spread the word by sharing this post and helping create awareness about this tight deadline and how to transition to PHP 7.

As a small business owner, the cost of website development can get very costly, sometimes preventing you from ever being able to get your website off the ground. This weekend’s special will help you get online without destroying your budget. Plus, this week, we’ve added in some extra goodies!

Specials for this weekend!

Website Design / Redesign (starting at $300)

Up to 7 pages

Up to 3 different contact forms

Done within 48 hours

Logo Design ($150)

Up to 5 revisions

Up to 3 variations

Website Security Protection (starting at $39/mo for life)

Malware protection

Malware removal

Monthly security reporting

Upgrades available for real-time reporting

Landing Page Design (starting at $250)

Includes main landing page & checkout page

Integrate with Stripe / PayPal / Square / Auth.net

Full Google Analytics available (upon request)

Free Website Audit & Security Scan

Free SEO and page optimization report

Free security scan (malware/virus/malicious scripts)

Free blacklist checker

Free SSL checker

Feel free to share this post with anyone who may need our services. These prices are only good until Monday, so you will need to contact us right away!

To get started, please either use the form below, or call (877) WEB-FIXR.

Please fill out the form below:

We will get back to you as soon as possible. We’re limiting the $300 web design to the first 5 websites. Add ecommerce for $50.

It’s the year 2018, and responsive websites are considered the industry standard. So why did your web developer overlook such an important feature when building your website? This is a question I have to ask our clients far too often. If your website is over 5 years old, odds-are, it may not be as responsive as you think. Do you have a responsive website?

What is a “Responsive Website”?

The general concept behind a responsive website is to have a website that is viewable on any device. Whether it’s a tablet, a mobile phone, a desktop, or a laptop, the visitors version of your website should be tailored to whichever device in which they are viewing your website.

How How Does Responsive Web Design Work?

Responsive sites use fluid grids. All page elements are sized by proportion, rather than pixels. So if you have three columns, you wouldn’t say exactly how wide each should be, but rather how wide they should be in relation to the other columns. Column 1 should take up half the page, column 2 should take up 30%, and column 3 should take up 20%, for instance.

Media such as images is also resized relatively. That way an image can stay within its column or relative design element.

To put it simply, Responsive Websites automatically adjust to the visitors browsing environment.

Why Small Businesses Need to Switch to Responsive Web Design

More people are using mobile devices. A recent Pew study 77 % of Americans now own smartphones in 2018 which is up from just 35% in Pew Research Center’s first smartphone ownership survey carried out in 2011.

Check your traffic and you might just be shocked at how many visitors are getting to your website through mobile devices. (In your Google Analytics, select “Audience” on the left side, then “Mobile” to see what proportion of traffic is from mobile devices. You can even drill down to see which devices are sending the traffic.)

Is your website Responsive?

Let’s find out! Use our free website audit tool, and we will email a detailed report directly to you. The report is easy to understand, and provides a checklist of items that you can do to enhance the user experience on your website.

The Importance of Website Monitoring & Maintenance: One of the most common misconceptions about owning a website is that “once my website is built, I shouldn’t have to think about it.” This could not be further from the truth. This article outlines some basic website monitoring techniques that will help keep your website strong, safe, and secure.

In 2018, hackers and other bad actors are smarter and more resourceful than ever. They can easily identify websites that are not up-to-date with security standards, patches, and general updates. Over 85% of all websites online today have major vulnerabilities that could easily be exploited.

The Importance of Website Monitoring & Maintenance

So, what exactly is website monitoring, and what aspects of your website should you monitor?

Website Monitoring, plays an important role in maintaining a healthy (and fast) website. Everything from uptime monitoring (insuring your website is always available for your visitors), to WAF (web application firewalls) allow you to keep an eye on the overall performance of your website, while blocking malicious activity before it hits your website. But those 2 things are just the foundation of a strong monitoring strategy.

Website Backups:

Your website should be integral part of your business, and you should have a backup strategy that includes daily backups, and fast redeployment in the case that your website gets hacked or attacked. We recommend following the 14/4/3 (14 daily backups / 4 weekly backups / 3 monthly backups) strategy. Following this (or a similar) strategy will ensure that no matter what happens, you will have a working copy of your website on-hand to deploy in any worst-case-scenario.

Malware Scanning / Removal:

Has your website ever been blacklisted by Google or Norton? Odds are, you had some malware in one or more of your website files. There are several free tools available to scan for malware, but, what do you do when you find malware in your website? Some companies charge hundreds of dollars, or require difficult processes to remove the malware that are hard to follow and understand. That’s where Website Butlers come into play.

Website Speed Monitoring:

Fast sites rank higher in search engines. Fast sites build confidence in their visitors. Fast sites are good for business. Monitoring your website’s page load times can actually increase sales and leads for your business, but more importantly, it will provide your users with the best possible experience.

Tools like Yslow can help you identify why your website is loading at a less-than-optimal speed, and they will give you a simple ranking from A+ – F. It is very important that you understand your website’s speed score, and put together an action list to remediate any issues that may arise.

To be continued…

We appreciate you taking the time to read this article. If you have any questions, feel free to call our support team at 877-WEB-FIXR or email us at support@websitebutlers.com.

Here at Website Butlers, we’re always looking for ways to help our users. We found this article on Kinsta that covers a very common issue for a lot of our users. You can read it in it’s entirety here.

What is the Your Connection is Not Private Error?

The “your connection is not private” error only pertains to sites that are running over HTTPS (or should be running over HTTPS). When you visit a website, your browser sends a request to the server where the site is hosted. The browser then has to validate the certificate installed on the site to ensure it is up to current privacy standards. Other things that also take place include the TLS handshake, the certificate being checked against the certificate authority, and decryption of the certificate.

If the browser finds that the certificate isn’t valid, it will automatically try to prevent you from reaching the site. This feature is built into web browsers to protect the user. If the certificate isn’t set up correctly, this means data can’t be encrypted properly and therefore the site is unsafe to visit (especially those with logins or that process payment information). Instead of loading the site, it will deliver an error message, such as “your connection is not private.”

Your Connection is Not Private Error Variations

There are a quite a few different variations of this error depending upon which web browser you’re using, operating system, and even the configuration of the certificate on the servers. And while some of these errors sometimes mean slightly different things, a lot of times the troubleshooting steps are the same.

Google Chrome

In Google Chrome if there is an issue validating the certificate the error will show as “your connection is not private” (as seen below).

If you are a member of Website Builders, you have already received this upgrade. If you are not a member, please contact us for help upgrading to WP 4.9.8. Keeping your WordPress site updated is the best way to prevent from hackers and vulnerabilities.

Meta

WordPress now powers over 1/3rd of the top 10 million sites on the web according to W3Techs. Our market share has been growing steadily over the last few years, going from 29.9% just one year ago to 33.4% now. We are, of course, quite proud of these numbers! The path here has been very exciting. […]

WordPress 5.1.1 is now available! This security and maintenance release introduces 14 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2. This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously […]

A new version of WordPress, significant security enhancements, important discussions, and much more – read on to find out what has been going on in the WordPress community for the month of February. Release of WordPress 5.1 Near the end of the month, WordPress 5.1 was released, featuring significant stability and performance enhancements as well […]

ABOUT

We are the REAL Wordpress Experts, and we're here to help you 24 hours a day, 7 days a week, 365 days a year. Call (877) WEB-FIXR to speak with one of our support agents.